Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tracee won't run in kernels v6.3 from stable tree #3068

Closed
rafaeldtinoco opened this issue May 8, 2023 · 4 comments · Fixed by #3069 or #3076
Closed

tracee won't run in kernels v6.3 from stable tree #3068

rafaeldtinoco opened this issue May 8, 2023 · 4 comments · Fixed by #3069 or #3076
Labels
kind/bug
Milestone
v0.14.1

Comments

@rafaeldtinoco
Copy link
Contributor

rafaeldtinoco commented May 8, 2023
edited

Description

1124: (0f) r3 += r1                   ; R1_w=256 R3_w=scalar()
; new_slim.user_ns = READ_KERN(userns_new->ns.inum);
1125: (63) *(u32 *)(r10 -168) = r7    ; R7=0 R10=fp0 fp-168=mmmm0000
1126: (bf) r1 = r10                   ; R1_w=fp0 R10=fp0
; struct cred *old = (struct cred *) get_task_real_cred(p.event->task);
1127: (07) r1 += -168                 ; R1_w=fp-168
; new_slim.user_ns = READ_KERN(userns_new->ns.inum);
1128: (b7) r2 = 4                     ; R2_w=4
1129: (85) call bpf_probe_read_kernel#113     ; R0_w=scalar() fp-168=mmmmmmmm
1130: (61) r1 = *(u32 *)(r10 -168)    ; R1_w=scalar(umax=4294967295,var_off=(0x0; 0xffffffff)) R10=fp0
; new_slim.user_ns = READ_KERN(userns_new->ns.inum);
1131: (63) *(u32 *)(r10 -128) = r1    ; R1_w=scalar(umax=4294967295,var_off=(0x0; 0xffffffff)) R10=fp0 fp-128=
; new_slim.securebits = READ_KERN(new->securebits);
1132: (63) *(u32 *)(r10 -168) = r7    ; R7=0 R10=fp0 fp-168=mmmm0000
1133: (b7) r1 = 36                    ; R1_w=36
1134: (0f) r6 += r1                   ; R1_w=36 R6_w=scalar()
1135: (bf) r1 = r10                   ; R1_w=fp0 R10=fp0
; struct cred *old = (struct cred *) get_task_real_cred(p.event->task);
1136: (07) r1 += -168                 ; R1_w=fp-168
; new_slim.securebits = READ_KERN(new->securebits);
1137: (b7) r2 = 4                     ; R2_w=4
1138: (bf) r3 = r6                    ; R3_w=scalar(id=22) R6_w=scalar(id=22)
1139: (85) call bpf_probe_read_kernel#113     ; R0=scalar() fp-168=mmmmmmmm
1140: (61) r1 = *(u32 *)(r10 -168)    ; R1_w=scalar(umax=4294967295,var_off=(0x0; 0xffffffff)) R10=fp0
; new_slim.securebits = READ_KERN(new->securebits);
1141: (63) *(u32 *)(r10 -124) = r1    ; R1_w=scalar(umax=4294967295,var_off=(0x0; 0xffffffff)) R10=fp0 fp-128=mmmmmmmm
; caps = READ_KERN(old->cap_inheritable);
1142: (7b) *(u64 *)(r10 -176) = r7    ; R7=0 R10=fp0 fp-176_w=00000000
1143: (b7) r1 = 40                    ; R1_w=40
1144: (bf) r3 = r9                    ; R3_w=scalar(id=20) R9=scalar(id=20)
1145: (0f) r3 += r1                   ; R1_w=40 R3_w=scalar()
1146: (bf) r1 = r10                   ; R1_w=fp0 R10=fp0
; struct cred *old = (struct cred *) get_task_real_cred(p.event->task);
1147: (07) r1 += -176                 ; R1_w=fp-176
; caps = READ_KERN(old->cap_inheritable);
1148: (b7) r2 = 8                     ; R2_w=8
1149: (85) call bpf_probe_read_kernel#113     ; R0_w=scalar() fp-176_w=mmmmmmmm
1150: (79) r1 = *(u64 *)(r10 -176)    ; R1_w=scalar() R10=fp0
1151: (7b) *(u64 *)(r10 -168) = r1    ; R1_w=scalar() R10=fp0 fp-168_w=mmmmmmmm
1152: (bf) r6 = r10                   ; R6_w=fp0 R10=fp0
; struct cred *old = (struct cred *) get_task_real_cred(p.event->task);
1153: (07) r6 += -168                 ; R6_w=fp-168
; old_slim.cap_inheritable = ((caps.cap[1] + 0ULL) << 32) + caps.cap[0];
1154: <invalid CO-RE relocation>
failed to resolve CO-RE relocation <byte_off> [567] typedef kernel_cap_t.cap[0] (0:0:0 @ offset 0)
processed 789 insns (limit 1000000) max_states_per_insn 0 total_states 45 peak_states 45 mark_read 33
-- END PROG LOAD LOG --"}
{"level":"warn","ts":1683513689.8942,"msg":"libbpf: prog 'trace_commit_creds': failed to load: -22"}
{"level":"warn","ts":1683513689.8949397,"msg":"libbpf: failed to load object ''"}

Output of tracee -v:

v0.14.0

Output of uname -a:

Linux fujitsu 6.3.1 #1 SMP PREEMPT_DYNAMIC Sun May  7 20:56:23 -03 2023 x86_64 x86_64 x86_64 GNU/Linux

Additional details

https://github.com/aquasecurity/tracee/actions/runs/4910890741/jobs/8771966816
@rafaeldtinoco rafaeldtinoco added this to the v0.14.1 milestone May 8, 2023
@rafaeldtinoco rafaeldtinoco linked a pull request May 8, 2023 that will close this issue
workflow: add 6.1 and 6.3 kernels #3069
Merged
@rafaeldtinoco
Copy link
Contributor Author

rafaeldtinoco commented May 8, 2023
edited

Kernel v6.1 seems to be failing as well:

https://github.com/aquasecurity/tracee/actions/runs/4910890741/jobs/8771966676

but not the same problem, and I couldn't reproduce locally:

$ uname -a
Linux e2etests 6.1.27 #2 SMP PREEMPT_DYNAMIC Sun May  7 22:49:08 -03 2023 x86_64 x86_64 x86_64 GNU/Linux

INFO: 
INFO: = TEST: TRC-107 =================================================
INFO: 
{"level":"info","ts":1683534599.5335987,"msg":"Signatures loaded","total":1,"signatures":["TRC-107"]}
INFO: 
INFO: UP AND RUNNING
INFO: 

*** Detection ***
Time: 2023-05-08T08:30:16Z
Signature ID: TRC-107
Signature: LD_PRELOAD code injection detected
Data: map[]
Command: trc107.sh
Hostname: f15e9ed000d4

*** Detection ***
Time: 2023-05-08T08:30:16Z
Signature ID: TRC-107
Signature: LD_PRELOAD code injection detected
Data: map[]
Command: trc107.sh
Hostname: f15e9ed000d4
INFO: 
INFO: TRC-107: SUCCESS
INFO: 
INFO: 
INFO: ALL TESTS: SUCCESS

Re-triggered 6.1 tests only.

@yanivagman
Copy link
Collaborator

I believe this shouldn't have been closed, right?

@yanivagman yanivagman reopened this May 8, 2023
@yanivagman yanivagman reopened this May 8, 2023
@rafaeldtinoco
Copy link
Contributor Author

Kernel v6.1 seems to be failing as well:

For v6.1: #3074

@rafaeldtinoco
Copy link
Contributor Author

This happens because of a type change, will create the struct flavor and change appropriate code to fix the issue (and make sure it works < 6.1 as well).

@rafaeldtinoco rafaeldtinoco linked a pull request May 9, 2023 that will close this issue
fix for kernels v6.3 and mitigation for tracee.pid in tests #3076
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Projects
None yet
Milestone
v0.14.1
2 participants
@rafaeldtinoco @yanivagman